36.0 Inline power is available on Catalyst 3550-24-PWR, Catalyst 4500, and Catalyst 6500 switches.
37.0 The interface configuration command used to select
the voice VLAN mode that will be used is given below:
switch(config-if)#
switchport voice vlan {vlan-id | dot1p | untagged | none}
vlan-id:
here the PC data is carried on native VLAN and the voice packets
are carried on a separate voice vlan.
Dot1p: here the PC data
is carried on native vlan and voice packets are carried on vlan
0.
Untagged: here both PC data and voice packets are carried
on the native vlan. No separate voice vlan is required.
The default
condition for every switch port is none, where a trunk is not used.
All other modes, except 'none' use special 802.1Q trunk.
The command
Switch# show power inline [type <mod>/<num>]
Can be used to verify the inline power status for a switch port.
Three normally used methods to verify user credentials at a switch
port are:
a. By using locally configured username and password
b. By using RADIUS authentication
c. By using TACACS+ authentication.
1. To configure username and password locally, use the command
at global configuration mode of the switch:
Username <username>
password <password>
2. To define authentication using RADIUS,
use the command
Radius-server host {<hostname | <ip-address>}
[key string]
to define the server along with its secret
shared password.
3. Define a group name that will contain a list
of servers using the command:
Switch(config)# aaa group server
{radius | tacacs+) <group-name>
4. Now, define each server
of the group by using the command:
Switch(config)# server <ip-address>
If you have more than one RADIUS or TACACS servers, repeat the above
command for each server.
You use the command
login authentication {default | listname}
to trigger user authentication on that line to use an AAA method
list.
Catalyst switches provide port level security by use of MAC addresses
to control access to a switch port. The command
Switch(config-if)#
switchport port-security
enables the port security on a
switch.
To statically define one or more MAC addresses that are
allowed on a switch interface, use the command:
Switch(config-if)#
switchport port security mac-address <mac address>
For example,
to allow the mac address 0013.0002.0023, use the command:
Switch(config-if)#
switchport port security mac-address 0013.0002.0023
You can set
the maximum number of MAC addresses that could be allowed on a port
by using the command:
Switch(config-if)# switchport port-security
maximum <max-number-of-mac-addresses>
To allow a maximum of
2 MAC addresses to access a switch port,
Switch(config-if)# switchport
port-security maximum 2
By default, one MAC address is allowed
access on each switch port.
38.0 The following are true about switch port security:
1. The IEEE standard 802.1x defines the switch port security. Most
of the Catalyst class of switches supports this standard. However,
end user PC should also comply with the standard for implementation.
2. When you enable port security on a switch, by default only one
MAC address can be learned. To allow more than one MAC address on
a switch port simultaneously, use the command:
port-security
maximum <max-number>.
3. You can either define the allowed
MAC addresses statically or allow the port to learn the MAC addresses.
If you define only part of maximum allowed MAC addresses statically,
the remaining MAC addresses are learned dynamically. This may lead
to security breach if misused.
39.0 The following are true about PVLANs:
1. There
are three types of private VLAN ports: promiscuous, isolated, and
community.
1.1 Promiscuous port: A promiscuous port
communicates with all other PVLAN ports, and is the port typically
used to communicate with external routers, servers, administrative
workstations, etc.
1.2 Isolated port: An isolated port
has complete L2 separation, including broadcasts, from other ports
within the same PVLAN, with the exception of the promiscuous port.
Traffic received from an isolated port is forwarded to all promiscuous
ports only. None of the other isolated ports receive traffic from
another isolated port.
1.3 Community port: Community ports can
communicate among themselves and with their promiscuous ports. Community
ports are isolated at L2 from all other ports in other communities,
or isolated ports within their private VLAN. Broadcasts are forwarded
only between associated community ports and the promiscuous port.
2. Switches that use PVLANs must be configured for transparent
VTP mode.
3. Isolated ports can only forward traffic to promiscuous
ports.
4. In a PVLAN, promiscuous ports are called the primary
VLAN, while community and isolated ports are called secondary VLANs.
5. A PVLAN will only have one primary VLAN, but may have several
secondary VLANS.
40.0 The command sequence to map the promiscuous ports
to primary and secondary VLANs are as given below:
switch(config)# interface fastethernet 3/9
switch(config-if)#
switchport mode private-vlan promiscuous
switch(confgi-if)# switchport
private-vlan mapping 100, 10,20
<--Previous 0 1 2 3 4 5 6 7 8 9 Next-->